Firewall with PureFTPd...

Similar Messages

• Help needed with Firewall and pureftpd

  I am having trouble getting the Leopard Firewall to let through ftp connections with PureFTPD manager 1.7
  On a clean install of Leopard I set the firewall to "Set access for specific services and applications". For ssh, and apache (web sharing) this worked just fine.
  I then installed PureFTPD Manager 1.7 (The version that is supposed to work with Leopard).
  However I have been unable to get the firewall to let through connections to the pure-ftpd server.
  I selected "allow" when OSX prompted me whether ProFTPD should be permitted to open a port. That worked right after I installed ProFTPD Manager until I reset the computer. Then it stopped working.
  I tried adding the pure-ftpd application to the application list in the Firewall settings. That didn't work.
  I always get "Deny pure-ftpd connecting from ..." in the firewall log.
  Has anyone out there gotten pro-ftpd to work with the Leopard firewall set to "Set access for specific services and applications?"
  Please don't suggest to disable the firewall or to use ipfw. Disabling the firewall I don't consider a reasonable solution for a computer that is exposed to the internet, and I would prefer not to have to use ipfw for everything.
  Thank you

  I'm assuming that this works fine if you disable the firewall altogether, correct?
  ipfw won't help you here since the way that the leopard firewall is setup, it's already set as an 'allow all'.
  Rather than waiting for the 'do you want to allow...' dialog to come up, have you tried clicking the + in the firewall and adding the application directly?
  Also, can you describe how you are performing your tests? From the same system or a different system? From behind a router/firewall or on the same segment?
  You may also want to read through this post on how the firewall works. It sounds like you already understand 99% of it though. http://discussions.apple.com/thread.jspa?threadID=1337153&tstart=0#6317068
  One last resort option would be to delete the firewall preference file and reboot to start over.
  You'd want to nuke /Library/Preferences/com.apple.alf.plist

• I have just installed Lion OS and Face Time encounters server problems on sign up. I have sought the firewall problem without success and even temporarily turned off firewall with no success.

  I have just installed Lion OS and Face Time encounters server problems on sign up. I have sought to rectify the firewall problem without success and even temporarily turned off firewall with no success. Any ideas?

  Some folks have discovered that changing their DNS service fixes FaceTime connection issues.
  The ideal way is to configure your modem/router with DNS service, but often settings in System Preferences/Network/Advanced/DNS on your Mac will override the router settings. Try either of these;
  OpenDNS
  208.67.222.222, 208.67.220.220
  Google Public DNS
  8.8.8.8, 8.8.4.4

• AGPM 4.0 SP2 Editors cannot open "Windows Firewall with Advanced Security" area of a GPO

  When attempting to Edit a checked-out GPO in AGPM, & navigating to "Computer Configuration\Policies\Windows Settings\Security Settings\Windows Firewall with Advanced Security\Windows Firewall with Advanced Security - LDAP://CN...." Editors
  get:
  "There was an error opening the Windows Firewall with Advanced Security snap-in
  An error occurred while trying to open the policy.
  Error: The system cannot find the path specified
  Code 0x3"
  This happens with GPOs that existed prior to AGPM install where the GPO was "controlled", and with new Controlled GPOs created within AGPM.  A workaround is to grant the user Full Control within AGPM (and have them re-launch Group Policy Management
  MMC via Shift right-click "Run as different user"), but this circumvents the Change Control we are attempting to use AGPM for.  Any ideas of how to fix this, or how to file a bug report?
  Also, changes made to Incoming Firewall rules do not show up in the AGPM Settings or Differences reports.  I'd imagine this is related to the known issue described on the Release Notes page here:
  http://technet.microsoft.com/en-us/library/dn458958.aspx

  Hi Fabian - Thanks for the response.  I checked & the AGPM Server is on a subnet that was not mapping to any AD Site.  Based on its subnet/location, it actually should be in the same Site as the PDCe.  I added a new Subnet definition to
  AD & waited until "nltest /dsgetsite" was reporting the correct Site on the AGPM Server.  Now, with just Editor role, I can access the Advanced Firewall area of a checked out GPO from my AGPM Client, which is correctly in a different AD Site. 
  I think this might have solved it.
  Should this requirement be added to AGPM documentation?  "AGPM Server must be installed on a server that is in the same AD Site as the DC holding the PDCe role."
  Thanks for the tip!

• Windows 8 Windows Firewall with Advanced Security snap-in failed to load Error code: 0x6D9

   laptop did not come with support cd all pre installed.
  I checked out The Windows Firewall with Advanced Security snap-in failed to load  for windows 7 pro           
  but it is not helping me with windows8 I am trying to update to windows 8.1 but this error wont let me
  Please help me

  Hi,
  I have exactly the same issue. Could you tell how did you fix it ?
  Thank you!

• Standard (application-based) firewall with one additional port open?

  Lion and Snow Leopard both have application based firewalls.  I want to allow access to a Minecraft server on port 25565 but I don't want to allow all of Java.  How can I open one port in addition to leaving the standard firewall in place?

  Hi
  The Zone based firewall uses "inspect" statements, that's just what it does.
  A simple zone-based firewall that will inspect all traffic going from the local network to the internet and protecting the outside interface of the router, but allowing anyconnect connections would look something like this:
  ip access-list standard INSIDE-NETWORK_ACL
   permit 192.168.1.0 255.255.255.0
  class-map type inspect INSIDE-NETWORK_CMAP
   match access-group name INSIDE-NETWORK_ACL
  class-map type inspect HTTPS_CMAP
   match protocol https
  policy-map type inspect INSIDE-TO-OUTSIDE_PMAP
   class type inspect INSIDE-NETWORK_CMAP
    inspect
  policy-map type inspect OUTSIDE-TO-SELF
   class type inspect HTTPS_CMAP
    pass
  zone-pair security INSIDE-TO-OUTSIDE_ZP source INSIDE destination OUTISDE
   service-policy type inspect INSIDE-TO-OUTSIDE_PMAP
  zone-pair security OUTSIDE-TO-SELF_ZP source OUTSIDE destination self
   service-policy type inspect OUTSIDE-TO-SELF
  I haven't personally configured Zone Based Firewall with anyconnect. So if this doesn't work you can look at this link: https://supportforums.cisco.com/document/46481/anyconnect-ios-zone-based-firewall-zbfw

• Transparent firewall with CSC

  Hi,
  We will be deploying 1 firewall with IPS module and 1 transparent  firewall with CSC module. please refer to the diagram. is there any concern for this deployment? will it works?
  Please adviced.
  Thanks.

  Yes. Absolutely. No problem.
  -Kureli

• Firewall with AES Authentication?

  Hello,
  We are looking for a firewall that supports IPSec VPN with AES As authentication, referring to the following url:
  http://www.ietf.org/rfc/rfc3566.txt
  Note that it is not AES as encryption we are looking for, its AES as authentication.
  Is there any Cisco firewall that supports this?
  Best regards

  Can someone explain me (step by stet) how to configure
  a firewall with X86 solaris
  what software ?
  but without using sunscreen .
  where to download them ?
  Well, not much to say: http://coombs.anu.edu.au/~avalon/

• Transparent firewall with failover with multiple contexts

                     I am running 8.4(2) on ASA5585s. They are in mulitble context mode and set to transparent firewall with active/active failover. When I do a sh failover in a context I see 2 of my interfaces are (waiting). I have a BVI and these are the ip addresses on the interfaces in he "sh failover" below.
  Failover On
  Last Failover at: 11:54:39 GMT/IST Feb 23 2012
          This context: Standby Ready
                  Active time: 175394 (sec)
                    Interface ctxb-inside (x.x.x.165): Normal (Waiting)
                    Interface ctxb-outside (x.x.x.165): Normal (Monitored)
          Peer context: Active
                  Active time: 11390663 (sec)
                    Interface ctxb-inside (x.x.x.164): Normal (Monitored)
                    Interface ctxb-outside (x.x.x.164): Normal (Waiting)
  Why are the interfaces in (waiting)?

  Are you able to ping between the interfaces? ie: can you ping x.x.x.165 from x.x.x.164 and visa versa? If you are not able to ping it, that means there is no connectivity between the 2, hence the status is in Normal (Waiting) because it has not received the hello packet on that corresponding interface.
  Here is the reference guide FYI:
  http://www.cisco.com/en/US/docs/security/asa/asa84/command/reference/s3.html#wp1505709

• NO LONGER ABLE TO USE FIREWALL WITH 10.5.5

  IT took me a while to figure out it was my firewall preventing me from connecting to the internet, Since I've had no problems before, Until I updated to 10.5.5(The only major change since problem started). Now my firewall setting is "Allow all incoming connections". I would like to have it set at "Set access for specific services and applications". Any suggestions. TIA

  Hiya,
  that's odd. When you go to system preferences/security and select the firewall tab, you should be able to set to "set access for specific services and applications" with no problems at all (your administrator password may be required).
  And whilst not the best, the firewall does work. So most odd, if it should "fail" after the 10.5.5 update. if you cannot find the radio button for the specific access, then try the 10.5.5 combo update http://www.apple.com/downloads/macosx/apple/macosx_updates/macosx1055comboupdate .html,
  but do not install until you have repaired disk permissions (which you should do prior to any software update)?

• Controlling the Adaptive Firewall with `afctl`

  For those of you that don't know, afctl controls (is?) Leopard Server's Adaptive Firewall. Its a really cool program, you give it an IP address, and a time-to-live in minutes, and that ip instantly gets firewalled for about that many minutes.
  Here is the man page for the program:
  http://developer.apple.com/documentation/Darwin/Reference/ManPages/man8/afctl.8. html
  And here is the man page for it's config file:
  http://developer.apple.com/documentation/Darwin/Reference/ManPages/man5/af.plist .5.html
  At first it seems like the perfect program. But I'm having big problems with it, all regarding rule numbers.
  afctl's first firewall rule is number 1700. Its next rule is 1705. And so on and so on. Now my rules come from a script I have running on my server, that automatically 'detects' abusers and blocks them. Rules last for 1 hour. So after the first hour of running, rule 1700 will expire, then 1705 and so on. New rules that are constantly getting generated, are up to maybe lets just say 1840.
  So even though rules only last an hour, the rule numbers keep going up and up and up. This becomes a big problem because once the rules get to 12300, the overlap and then pass existing rules in ipfw. Once they surpass this, incoming packets are matched and accepted before they get to their block rule (generated by afctl). So every second or so, another and another and another firewall rule gets added to block that same IP. But the rules are so high they don't work. Multiply this by 30 or 40 IPs at a time and you can see how once my afctl rules get to 12300, total chaos ensues.
  If I totally disable my script for two hours, and let all my afctl rules expire. Then I can re-enable the script and it will start generating rules again at 1700. But this can be a problem, some times I'm getting more traffic than I can handle during those two hours. After about 250 requests per second, things start to get sketchy.
  I need a way to manage these rule numbers without having to turn off the script that makes these rules.
  One thing that confuses me is the 'default_set' setting in the af.plist file. I'm not sure what this means, but does this somehow let me put my afctl rules into their own 'group'? The default setting for 'default_set' in my plist file is 17. That means nothing to me though. Reading the ipfw man page, it refers to it's whole configuration as it's 'ruleset'. So I'm not sure what this setting is, or if it can help me.
  As it stands now, I have to 'reset' my rules (by way of disabling my script and letting all afctl created rules expire) about every other day. If I could have afctl rules increment by 1 instead of 5, that would give me about 10 days. Still a bandaid, but a better bandaid. If there was a way to make afctl choose rules that are the lowest available rule number greater than 1699, so as rules expired, their numbers would be recycled. That would also work. Although i'd feel better if my dymanic rules also had a greater range to life in, than 1700-12300. But I'd have to be under one **** of an attack for that not to be enough.

  Well I found a solution, but it's not great. I run the following commands daily (nightly).
  sudo rm /var/db/af/blacklist;
  sudo ipfw delete set 17;
  sudo /usr/libexec/afctl;
  This deletes any memory afctl has of it's rules. Then it manually deletes all the rules it's made. Then it recreates it's database file.
  This will make your rules start over every night so you won't get 'rule number overflow' headaches.
  OF COURSE the whole point of afctl is auto-expiring firewall rules. So if you're going to do this, I might as well have my server firewall addresses directly to ipfw instead of bothering with afctl. I'm going to leave it using afctl now only because its already set up and running. At least I can be away from my server now without having a rule number overflow which for several different reasons brings my server to it's knees.

• ___How to access database behind firewall with JDBC___

  How to access a database behind a firewall? I have an applet that runs from a server behind that firewall. I can make applet-servlet-database calls, but I cannot make applet-database calls. Therefore, I must go through servlets.
  This causes a problem as the ResultSet object is not serializable. I have found two solutions using a search.
  1) Store info into a Vector and transmit the vector. This option will take up a huge amount of time with large ResultSets.
  2) Used sun's CachedRowSet which is serializable. I read the liscence under the CashedRowSet, and it does not allow use for "productive and commercial" use.
  Does anyone have any other suggestions I am missing?

  I'm pretty sure there are other implementations of CachedResultSet out there that don't have the licensing restrictions on them, so maybe you could hunt down one of those.
  As far as storing it in a Collection of some kind, I've never found a huge performance problem in doing so. When iterating through the ResultSet anyway, the additional cost of placing data in a different structure is minimal, even on larger results.

• Enable firewall with GP but allow users to disable....

  I'm wondering how I can enable the firewall in group policy but allow a user to disable it if they have to.  I see that it says "settings are controlled by group policy" when I go to try to turn it off on a vista machine.  Thanks.

  Hi,
   GPOs do not provide this functionality unless you are using the special group policy preferences settings which do not include control over the firewall. You best bet is probably to simply deploy the OS with the default setting of the firewall being
  active and this would allow any local administrator to change the configuration.
   Alternatively, you could dig down and determine the registry keys to control the firewall and change those with group policy preferences.
  Thanks,
  Guy

• Bypassing proxy/firewall with Applet URLConnection?

  I am trying to download images from an image server to an Applet. Currently I am using URLConnection to connect to server and download the image to a byte array.
  The problem arises when I try to download the images through a proxy/firewall. The applet doesnt seem to connect to the server using URLConnection, however it works fine over a standard modem connection!
  Running the code as an application, instead of an applet with the following parameters to use the proxy :
  Properties systemProperties = System.getProperties();
  systemProperties.put("proxySet","true");
  systemProperties.put("proxyHost",host);
  systemProperties.put("proxyPort",proxyport);
  System.setProperties(systemProperties);
  This works perfectly, and the images are downloaded.
  The problem is that I need to run it as an applet and not as an application. I was under the impression that the browser settings for proxy and port will automatically be sent to the applet and I dont have to set it manually.
  Please let me know if anyone has any solutions. Thanking you in anticipation!

  On IE, you can to limit the addresses that will go to access the proxy server.
  On Tools Menu select the "Internet Options" Then "Connections" then "Lan Configurations" Then "Advanced" then "Exceptions" now input the addresses that don�t will utilize the proxy/firewall.
  Excuse-me by my English.
  Best Regards
  Isaias Cristiano Barroso
  [email protected]

• Fixing Leopard FTP: Mixed up with PureFTPd from Tiger

  Okay, so basically what happened is that I was using (and enjoying) PureFTPd in Tiger, but the manager doesn't work in Leopard. I'm sure it'll be updated eventually, but I figure I'll just use the default one and force it to route through SSH for added security. Unfortunately, I can't get it working. I figured out the files PureFTP added by looking at the package (and removed them), AND I learned about /System/Library/LaunchDaemons/ftp.plist... but I don't know what's supposed to go here. It still has all the PureFTPd entries, after all. Can anyone using the default FTP in Leopard post the contents of their ftp.plist file so I can get mine going?

  Okay, I think I figured things out. First off, you need to delete the PureFTPD startup item, or it will keep respawning its FTP information. This can be done by deleting /Library/StartupItems/PureFTPD.
  Next, you need to replace the contents of the ftp.plist file in /System/Library/LaunchDaemons with the following (extracted from my Dad's Macbook). It may be a good idea to just use the Plist editor and switch the application and parameters manually, if you have it installed with XCode, but otherwise it should work so long as you don't miss anything and it's valid XML. You won't normally have write access here, so you either need to edit it externally and copy it in, or use sudo nano, sudo vi, or whatever. Note that you should also make sure the ownership is still root and group wheel after you are done, as it could end up with you as owner instead (if you copied it from elsewhere). To switch it back, just do:
  sudo chown root ftp.plist
  sudo chgrp wheel ftp.plist
  Here's the file (it lost its tabs by posting, but you can always indent on the <dict> tags if you prefer):
  <?xml version="1.0" encoding="UTF-8"?>
  <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
  <plist version="1.0">
  <dict>
  <key>Label</key>
  <string>com.apple.ftpd</string>
  <key>Program</key>
  <string>/usr/libexec/ftpd</string>
  <key>ProgramArguments</key>
  <array>
  <string>ftpd</string>
  <string>-l</string>
  </array>
  <key>SHAuthorizationRight</key>
  <string>system.preferences</string>
  <key>Sockets</key>
  <dict>
  <key>Listeners</key>
  <dict>
  <key>Bonjour</key>
  <true/>
  <key>SockServiceName</key>
  <string>ftp</string>
  </dict>
  </dict>
  <key>inetdCompatibility</key>
  <dict>
  <key>Wait</key>
  <false/>
  </dict>
  </dict>
  </plist>